Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 1 Feb 2017 11:56:16 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Multiple memory access issues in gstreamer

Hi,

https://gstreamer.freedesktop.org/releases/1.10/#1.10.3

gstreamer 1.10.3 got released, from the release notes:
"Various fixes for crashes, assertions, deadlocks and memory leaks on
fuzzed input files and in other situations"

Here they are (at least the ones I reported):

https://bugzilla.gnome.org/show_bug.cgi?id=775450
gst-plugins-good/aacparse: invalid memory read in
gst_aac_parse_sink_setcaps

https://bugzilla.gnome.org/show_bug.cgi?id=775451
gst-plugins-good/qtdemux: out of bounds read in qtdemux_tag_add_str_full

https://bugzilla.gnome.org/show_bug.cgi?id=777262
gst-plugins-base/riff-media: floating point exception in
gst_riff_create_audio_caps

https://bugzilla.gnome.org/show_bug.cgi?id=777263
gstreamer core/datetime: out of bounds read in
gst_date_time_new_from_iso8601_string()

https://bugzilla.gnome.org/show_bug.cgi?id=777265
gst-plugins-base/riff: stack overflow in gst_riff_create_audio_caps

https://bugzilla.gnome.org/show_bug.cgi?id=777469
gst-plugins-good/qtdemux: out of bounds heap read in
qtdemux_parse_samples


https://bugzilla.gnome.org/show_bug.cgi?id=777500
gst-plugins-good/avidemux: gst_avi_demux_parse_ncdt heap out of bounds
read

https://bugzilla.gnome.org/show_bug.cgi?id=777502
gst-plugins-base/samiparse: heap oob in html_context_handle_element

https://bugzilla.gnome.org/show_bug.cgi?id=777503
gst-plugins-bad/mxfdemux: use after free in gst_mini_object_unref /
gst_tag_list_unref / gst_mxf_demux_update_essence_tracks

https://bugzilla.gnome.org/show_bug.cgi?id=777525
gst-plugins-base: floating point exception in gst_riff_create_audio_caps
(different than #777262)

https://bugzilla.gnome.org/show_bug.cgi?id=777532
gst-plugins-good/avidemux: invalid memory read in
gst_avi_demux_parse_ncdt

https://bugzilla.gnome.org/show_bug.cgi?id=777937
gst-plugins-ugly/asfdemux: invalid memory read in
gst_asf_demux_process_ext_stream_props()



And more that didn't make it into 1.10.3:

https://bugzilla.gnome.org/show_bug.cgi?id=777955
gst-plugins-ugly/asfdemux: out of bounds read in
gst_asf_demux_process_ext_content_desc

https://bugzilla.gnome.org/show_bug.cgi?id=777957
gst-plugins-bad/mpegdemux: Invalid memory read in gst_ps_demux_parse_psm


(example files are always attached or linked in the bug reports)

I also reported multiple other issues like memory leaks or hangs which
I consider have no security relevance.


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.